It can happen to you. And what you can do about it…

We’ve heard the phrase “it can happen to anyone” many times in life in many different contexts. The point of the saying is to humble us and remind us that no matter how smart and careful we are, bad things can still happen to us. We’re not so smart and careful that we can control everything.

In the realm of security and privacy, it’s very easy for people to start thinking that they can prevent bad things from happening if they’re smart and careful enough. There’s a tendency to think “Oh, people get malware because they’re stupid or go to bad sites like porn” or “people’s credit cards get stolen because they used it on dangerous sites or got malware on their system.”

While I’ve never gone so far as to think these things, I certainly think of myself as a relatively savvy, sophisticated user. I’ve been in the security and privacy business for over fifteen years. I do all the best practices, I’m careful. I’ve never had malware on my system to date (touch wood). I’ve never had my credit card stolen.

That is, until a few weeks ago.

My charmed life came to an end via email from my credit card company one Friday evening. It asked, did I make a charge for $268 with an online vitamin seller in Florida? I knew I hadn’t made that charge. I checked with my wife and she hadn’t either. So that would be no, that’s not my charge.

Fortunately I was home when I got the message and so immediately logged into my online account. I verified online the number for their anti-fraud division and called them while I was reviewing my pending charges. I saw the charge for dinner that I had just made, that was OK. I saw a couple of other charges of mine from the past day or two, those were OK. Then I saw a charge for $4.11 at a hotel in Naples, Florida. I’ve never been to Naples, Florida in my life, so I recognized that as a problem.

After a short wait, I was connected to an anti-fraud agent. I explained that the charge they asked about wasn’t mine. I also alerted them that the $4.11 charge was false (this was most likely a test charge to see if the card was still active). I told her that the other charges were valid. She denied the invalid charges, kept the valid ones and then we went through the process of cancelling that card and reissuing it.

Over the next couple of days I took time to do full security scans on all my systems that I use for online banking (they came up clean). I checked my other credit card statements for any unauthorized activity (no issues there). I’ve mentioned before that I have a real-time identity-theft and credit monitoring service: I was very happy to have that because that gave me confidence that nothing else had happened yet. I contacted my service and put a credit watch in place to thwart any possible future attempts to open unauthorized credit cards. I checked my credit report to make sure nothing slipped through and was opened without my knowing (nothing was).

Once I was done with all of that I then moved out of alert mode into watch mode and have been watching my statements closely to see if there’s any other unauthorized activity. So far, though, there hasn’t. I’ll keep watching closely like this for a few weeks yet.

So there’s the obvious question: how did this happen? None of the obvious means of loss apply to me here. I’ve never lost possession of my card save for at restaurants when you have to give it for them to run the check. So how this card was stolen is a mystery. Most likely the data was lost or stolen through issues with a back-end processor or a retailer.

And that’s really the point of this article. In this era of Target-type data breaches, the simple fact is that now more than ever these things really can happen to anyone. You can do all the right things and still fall victim because someone else isn’t doing the right thing. And this means you have to be prepared for bad things to happen unexpectedly, despite your best efforts.

To help you in case something like this should happen to you, here are ten tips on what to do to better protect yourself in case something like this happens to you and help you recover as quickly as possible.

TOP 10 TIPS: WHAT TO DO BEFORE OR AFTER CREDIT FRAUD

Before an incident

Make sure all of your computers and mobile devices that you use for online banking and finance are fully up to date for security updates and signatures (and don’t use Windows XP after April 2014).

If your credit card company offers an alerting service for suspicious charges, sign up for it.

Consider enrolling in a real-time identity-theft and credit monitoring service.

If an incident occurs

If contacted by your credit card company about a suspicious charge, respond to it immediately. Make sure you verify the phone number they are calling from either on your card or on the card issuer’s website.

Work with your credit card company to review all charges and cancel and replace the card right away.

Do a full security scan of all systems you use for online banking and finance.

Consider putting a credit alert in place to help prevent new accounts being opened in your name.

Review your credit report.

Review all of your credit card statements. Consider doing so on a daily or near daily basis after the event. Also consider verifying by reviewing your paper statements (some malware can alter online statements to hide malicious activity).

I am not a habitual big spender on my credit card but, from time to time, put big ticket items on this card. I usually alert the bank via their secure messaging system. However, it is interesting to note that this particular bank (HSBC) prefers to speak to clients by phone. It is not at all unusual to be contacted by the fraud department on my land line or mobile number on items on my credit card. I think I would be quite suspicious of any unsecured e-mail contact from my bank.

http://www.christopherbudd.com Christopher Budd

Hello and thanks for writing.

That’s a great thing to do, it’s good your bank has that capability.

And you’re right to be suspicious of email: I don’t ever respond to any email from my bank. These days most online banking also includes a secure message system that’s part of the online banking system, so that’s another option you can look into.

Just Me

How do we identify legitimate real-time identity-theft and credit monitoring services? How do we recognize legitimate credit report companies? There are so many advertised, and we know illegitimate companies can advertise, too.

http://www.christopherbudd.com Christopher Budd

Hello there,

Thanks for reading and posting.

This is an excellent question and the best advice I can give is to take the time to do research. Finding good recommendations from credible sources, including knowledgeable friends and family is really your best bet for finding a good, reputable service.

Just Me

I have the impression that TrendMicro’s mobile security package applies only to Androids, and Mac, but not iPhones and iPads. Is that correct? If so, why, and what are we supposed to do to protect those devices?

Meanwhile, exercise caution and be wary about what you choose to do with your mobile device.

Ruth

We went thru this twice, and was able to pin both incidents down to particular online transactions. That was mostly due to the fact that we WHITE OUT the security code on the back of our cards…. Memorized them, plus have them noted on slip in wallet.
Ruth

Dottie

That’s a good idea Ruth.

http://www.christopherbudd.com Christopher Budd

Yes that is a very good idea, thank you for sharing!

gotScanned

Anyone could easily scrape off the white-out…plus, having the codes stored elsewhere in the wallet doesn’t help if the entire wallet is stolen. In my case, I believe it was an RFID scanner that stole my Credit Card info, because my CC hadn’t left my pocket or wallet in 3-4 months prior to the data theft (hadn’t eaten @ a restaurant or been anywhere else where my CC was out of my sight). So I purchased some RFID-shielding CC sleeves, and the problem hasn’t recurred yet. (Knock on wood!) RFID Scanners are now small, relatively inexpensive, & easily hidden in a coat pocket. So, someone could be strolling by a line of cash registers @ the local Target or WalMart, with an RFID scanner in their pocket, picking up all the data from the unprotected CCs of the customers waiting in those lines to check out with their purchases.

Frank

So what exactly is a “full security scan of all systems you use for online banking and finance”?

http://www.christopherbudd.com Christopher Budd

Hello and thanks for reading and posting.

By a full scan I mean going into your security software and telling it to do a full scan as opposed to a “quick” scan. Each vendor’s terminology is slightly different but most packages have options like these. In this situation you want to take the time to do the full scan.

William

In both cases where my credit card was stolen, it was due to a mishandling of the carbon from the knucklebuster machine. At trade shows I fear using my credit card when they pull out that contraption–“You know, ever heard of Square?”

http://www.christopherbudd.com Christopher Budd

Hello, thanks so much for writing.

I’m sorry to hear you went through this.

Old technology is definitely a real problem these days. You might be interested in what I’ve written elsewhere about how the Target situation will, I think. lead eventually to improved security using things like Square.

I have Windows XP on my desk PC. Does the discontinuance of service to XP mean I should not use my desk PC after April 2014. I have Trend products to protect me. Will it do so after April of this year?

If you absolutely MUST use Windows XP then Trend Micro’s products will continue to work to protect you. But no matter how good our products are, nothing fully substitutes for security updates from the vendor, so this should be a last resort.

virgoman0

what if I only get online stmts?? I don’t use paper

http://www.christopherbudd.com Christopher Budd

Hi, thanks for your note. Often you can specifically request paper statements still.

If you can’t then the best you can do is to make sure you’ve got good security software running on your system that you use to check your statements.

Sherry

Please explain “mature security packages”.
I have Vipre 2012 antivirus for the life of my computer. What are your thoughts on this security package?Thanks.